Effective Date: 10th December 2019
Copyright© 2019 by ITC
The information contained herein is proprietary and confidential information for the use of Integrated Telecom Company, personnel only. No part of these materials should be reproduced, published in any form by any means, electronic or mechanical including photocopy or any information storage or retrieval system nor should the materials be disclosed to third parties unless previously authorized in writing by Integrated Telecom Company. Product names mentioned herein are for identification purposes only and may be Trademarks and/or Registered Trademarks of their respective companies. This document is proprietary and confidential for Integrated Telecom Company.
The management of Integrated Telecom Company is committed for meeting the requirement, maintaining and continuously improving effective personally identifiable information (PII) security that safeguards information assets as well as the intellectual properties of ITC and clients.
An organization cannot properly protect PII it does not know about. ITC follows this broad definition of PII to identify as many potential sources of PII as possible (e.g., databases, shared network drives, backup tapes, contractor sites). PII is ― any information about an individual maintained by ITC, including
Examples of PII at ITC shall include, but will not be limited to
ITC shall minimize the use, collection and retention of PII to what is strictly necessary to accomplish its business purpose and mission. ITC shall, thereby, greatly reduce the likelihood of harm caused by a breach involving PII.
ITC shall –
ITC shall ensure that –
PII in ITC shall be evaluated to determine its PII confidentiality impact level so that appropriate safeguards can be applied to the PII.
The PII confidentiality impact level shall be rated as low, moderate, or high to indicate the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.
ITC shall use the following factors to determine the PII confidentiality impact level.
ITC shall evaluate how easily PII can be used to identify specific individuals. For example, a SID uniquely and directly identifies an individual, whereas a telephone area code identifies a set of people.
ITC shall consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality impact level should only be raised and not lowered based on this factor.
ITC shall evaluate the sensitivity of each individual PII data field. For example, an individual’s SID or financial account number is generally more sensitive than an individual’s phone number or ZIP code.
ITC shall also consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality impact level shall only be raised and not lowered based on this factor.
ITC shall also evaluate the sensitivity of the PII data fields when combined.
ITC shall evaluate the context of use -- the purpose for which the PII is collected, stored, used, processed, disclosed, or disseminated. The context of use may cause the same PII data elements to be assigned different PII confidentiality impact levels based on their use. For example, suppose that ITC has two lists that contain the same PII data fields (e.g., name, address, phone number). The first list is people who subscribe to a general-interest newsletter produced by the organization, and the second list is people who work undercover in law enforcement. If the confidentiality of the lists is breached, the potential impacts to the affected individuals and to the organization are significantly different for each list.
If ITC is subject to any obligations to protect PII, it shall consider such obligations when determining the PII confidentiality impact level. Obligations to protect generally include laws, regulations, or other mandates.
ITC shall take into consideration the nature of authorized access to and the location of PII. When PII is accessed more often or by more people and systems, or the PII is regularly transmitted or transported offsite, then there are more opportunities to compromise the confidentiality of the PII.
Since all PII cannot be protected in the same way, ITC may apply appropriate safeguards to protect the confidentiality of PII based on the PII confidentiality impact level.
ITC may do the following operational safeguards, privacy-specific safeguards, and security controls as appropriate.
ITC shall develop comprehensive policies and procedures for protecting the confidentiality of PII.
ITC shall reduce the possibility that PII will be accessed, used, or disclosed inappropriately by requiring that all individuals receive appropriate training before being granted access to systems containing PII.
ITC may de-identify records by removing enough PII such that the remaining information does not identify an individual and there is no reasonable basis to believe that the information can be used to identify an individual. De-identified records can be used when full records are not necessary, such as for examinations of correlations and trends.
ITC may control access to PII through access control policies and access enforcement mechanisms (e.g., access control lists).
ITC may prohibit or strictly limit access to PII from portable and mobile devices, such as laptops, cell phones, and personal digital assistants (PDA), which are generally higher risk than non-portable devices.
ITC may protect the confidentiality of transmitted PII. This may be accomplished by encrypting the communications or by encrypting the information before it is transmitted.
ITC may monitor events that affect the confidentiality of PII, such as inappropriate access to PII.
Whenever physical media are used for information transfer, a system shall be put in place to record incoming and outgoing physical media containing PII, including the type of physical media, the authorized sender/recipients, the date and time, and the number of physical media. Where possible, cloud service customers shall be asked to put additional measures in place (such as encryption) to ensure that the data can only be accessed at the point of destination and not en route.
In cases where individual cloud service customer audits are impractical or may increase risks to security, ITC , as the public cloud PII processor shall make available to prospective cloud service customers, prior to entering into, and for the duration of, a contract, independent evidence that information security is implemented and operated in accordance with the public cloud PII processor’s policies and procedures.
An information security incident should trigger a review by the public cloud PII processor, as part of its information security incident management process, to determine if a data breach involving PII has taken place
Breaches involving PII are hazardous to both individuals and organizations. Harm to individuals and organizations can be contained and minimized through the development of effective incident response plans for breaches involving PII.
ITC shall develop plans that include elements such as determining when and how individuals should be notified, how a breach should be reported, and whether to provide remedial services, such as credit monitoring, to affected individuals.
ITC shall establish close coordination among all officers responsible for PII. They may propose and implement technical security controls to enforce the confidentiality of PII. Close coordination of the relevant experts shall help prevent incidents that could result in the compromise and misuse of PII by ensuring proper interpretation and implementation of requirements.
Contractual agreements that involve PII shall clearly allocate responsibilities between ITC as the public cloud PII processor, its sub-contractors and the cloud service customer, taking into account the type of cloud service in question (e.g. a service of an IaaS, PaaS or SaaS category of the cloud computing reference architecture).
ITC, as a public cloud PII processor shall designate a point of contact for use by each of its cloud service customers regarding the processing of PII under the contract.
A process shall be put in place to review event logs with a specified, documented periodicity, to identify irregularities and propose remediation efforts.
Where possible, event logs shall record whether or not PII has been changed (added, modified or deleted) as a result of an event and by whom.
ITC, as the public cloud PII processor, shall define criteria regarding if, when and how log information can be made available to or usable by its cloud service customer. These procedures shall be made available to the cloud service customer.
Where a cloud service customer is permitted to access log records controlled by ITC as the public cloud PII processor, ITC shall ensure that the cloud service customer can only access records that relate to that respective cloud service customer’s activities, and cannot access any log records which relate to the activities of other cloud service customers.
ITC shall put in place measures to ensure that logged information is only used for its intended purposes.
ITC shall put in place a procedure to ensure that logged information is deleted within a specified and documented period.